You might think that a "secure certificate" is all about encryption. Actually there are two reasons to buy a secure certificate and only one of them is encryption. The other one is about "legitimacy". That second reason is a bit of a sham. It's also about how a very few companies get to profit from a ubiquitous a essentially free technology.
When your browser opens an SSL page for the first time it attempts to create an encrypted session by downloading and synching up the public and private keys. So far so good. In the process of synching however it looks at the features of the certificate - the domain, expiration, and the issuer or "certificate authority" (CA). The CA is the organization that issued the certificate. It is (in theory) a third party that has verified that your site is legitimate and that you have a right to use the certificate. The truth is that anyone with a certificate server can be an issuer. In fact there are a number of totally free certificate services out there. Microsoft has included certificate serving on it's server line since the days of NT 4.0. So why are we paying certificates?
The answer is in how the browser is configured by default. Try this experiment. Go to this URL in your Firefox browser. You will probably see a message that says "Unable to verify Katapultmedia.com as a trusted site". Now click on the button that says "Examine Certificate". Take a look and see if you can figure out the problem (don't look at the message at the top). The domain matches and it's not expired. Hmmm.... Now check out the message at the top. It says the "issuer is unknown". However, the issuer is definitely listed. It says "cacert.org".
If you accept the certificate your session will be encrypted with no problem. In fact, you can use an expired certificate and your session will still be encrypted. This message is not about encryption. It's not saying your "data may not be safe". It's saying that the site itself may not be safe because it has not been verified by a recognized certificate authority. And who are these authorities? I'm glad you asked. To see the list for the Firefox browser go to Tools-Options and click on the "advanced" tab. Scroll down and expand the "certificates" section and click on the button titled "manage certificates". Then select the "Authorities" tab at the top. You will see a long list of authorities. If one of these companies had issued the cert in question you would have not seen this message. To see Internet Explorer's list go to "tools-Internet Options" and click on the "content" tab. Then select the "certificates" button and click on the "trusted root certification authorities".
The idea is that some "other" disinterested party that (presumably) the browser makers have checked out verifying the legitimacy of your site. Of course, this is pretty much a sham. It's easy to get a certificate from a trusted authority - no matter who you say you are. It only takes money. It's a nice racket if you are Verisgn to be sure. If I'm an ecommerce store I'm forced to shell out in order to suppress the panicky message sent to the user by the browser - even though my user would be just as "safe" if I issued my own certificate or used a freebie. In fact, in cases where the site is not going to be public but still needs encryption, there's really no reason to go through the process of buying a certificate. Create your own or use a free one (like from cacert.org). Simply accept the cert the first time and forget about it.
For ecommerce sites however, that message is going to mean lost sales - and that can't be tolerated. Of course you could import new authorities into the browser - you could "force" the browser to recognize an issuer as an authority (which would effectively suppress the message). But this means forcing users to navigate a tricky technical landscape where they are not likely to venture. So you are stuck with buying a cert from a trusted authority. You might notice that both IE and Firefox support a pretty large group of authorities. The bad news is that some of these are the same company functioning under several authority names. It's also true that older browsers supported fewer trusted authorities - so your options get narrower and narrower depending on your requirements. If you have a large ecommerce site I suggest bighting the bullet and buying a Verisign cert.
One thing I forgot to mention was the guarantees provided by the authority. Sites that function as certificate authorities also offer a form of "insurance" against the certificate being "cracked". Of course, a hacker would have to "crack" your cert and be able to sniff your traffic. While this is theoretically a possibility, I know of no lawsuits or incidents based on faulty or compromised certificates. Perhaps someone can enlighten me. It's sort of like hiring someone to protect you from Tigers in South Dakota. "....but there aren't any tigers in South Dakota"... "see what a good job we are doing!".